Upload
abdul-majeed
View
222
Download
0
Embed Size (px)
Citation preview
7/29/2019 20 Access Lists
1/51
IP Traffic Management With
Access Lists
7/29/2019 20 Access Lists
2/51
FDDI
172.16.0.0
172.17.0.0
TokenRing Internet
Manage IP traffic as network access grows
Filter packets as they pass through the router
Why Use Access Lists?
7/29/2019 20 Access Lists
3/51
Access List Applications
Permit or deny packets moving through the router
Permit or deny vty access to or from the router
Without access lists all packets could be transmitted onto all
parts of your network
Virtual terminal line access (IP)
Transmission of packets on an interface
7/29/2019 20 Access Lists
4/51
QueueList
Priority and custom queuing
Other Access List Uses
Special handling for traffic based on packet tests
7/29/2019 20 Access Lists
5/51
QueueList
Priority and custom queuing
Other Access List Uses
Dial-on-demand routing
Special handling for traffic based on packet tests
7/29/2019 20 Access Lists
6/51
Other Access List Uses
Route filtering
RoutingTable
QueueList
Priority and custom queuing
Dial-on-demand routing
Special handling for traffic based on packet tests
7/29/2019 20 Access Lists
7/51
What Are Access Lists?
Standard
Checks Source addressGenerally permits or denies entireprotocol suite
7/29/2019 20 Access Lists
8/51
What Are Access Lists?
Extended
Checks Source and Destination
addressGenerally permits or denies specificprotocols
7/29/2019 20 Access Lists
9/51
Notify Sender
Outbound Access Lists
If no access list statement matches then discard the packet
N
Y
Packet Discard Bucket
ChooseInterface
Routing
TableEntry
?N
Y
Test
Access ListStatements
Permit?
Y
AccessList
?
Discard Packet
N
OutboundInterfaces
Packet
Packet
S0
E0
InboundInterfacePackets
7/29/2019 20 Access Lists
10/51
A List of Tests: Deny or Permit
Packets to Interface(s)in the Access Group
PacketDiscardBucket
Y
Interface(s)
Destination
Deny
Y
MatchFirstTest
?
Permit
N
Deny Permit
MatchNext
Test(s)?
Deny
Match
LastTest
?
YY
N
YY
Permit
ImplicitDeny
If no matchdeny all
Deny
N
7/29/2019 20 Access Lists
11/51
Access List Configuration Guidelines
Access list numbers indicate which protocol is filtered
One access list per interface, per protocol, per direction
The order of access list statements controls testing, Mostrestrictive statements should be at the top of list
There is an implicit deny any as the last access list test
every list should have at least one permit statement
Create access lists before applying them to interfaces
Access list, filter traffic going through the router; they do notapply to traffic originated from the router
7/29/2019 20 Access Lists
12/51
Access List Command Overview
Step 1: Set parameters for this access list teststatement (which can be one of several statements)
access-list access-l ist-number{ permit | deny } { testconditions }
Router(config)#
7/29/2019 20 Access Lists
13/51
Step 1: Set parameters for this access list teststatement (which can be one of several statements)
Router(config)#
Step 2: Enable an interface to use the specifiedaccess list
{ pro toco l} access-group access -list-num ber {in | out}
Router(config-if)#
Access List Command Overview
IP Access lists are numbered 1-99 or 100-199
access-list access-l ist-number{ permit | deny } { testconditions }
7/29/2019 20 Access Lists
14/51
How to Identify Access Lists
Number Range/IdentifierAccess List Type
IP 1-99Standard
Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
7/29/2019 20 Access Lists
15/51
Number Range/IdentifierAccess List Type
How to Identify Access Lists
IP 1-99100-199
StandardExtended
Standard IP lists (1 to 99) test conditions of all IP packets from source addresses
Extended IP lists (100 to 199) can test conditions of source and destination addresses,
specific TCP/IP protocols, and destination ports
7/29/2019 20 Access Lists
16/51
Number Range/Identifier
IP 1-99100-199, 1300-1999, 2000-2699Name (Cisco IOS 11.2 and later)
800-899900-9991000-1099Name (Cisco IOS 11.2. F and later)
StandardExtendedSAP filtersNamed
StandardExtendedNamed
Access List Type
IPX
How to Identify Access Lists
Standard IP lists (1 to 99) test conditions of all IP packets from source
addresses
Extended IP lists (100 to 199) can test conditions of source and destination
addresses, specific TCP/IP protocols, and destination ports
Other access list number ranges test conditions for other networking
protocols
7/29/2019 20 Access Lists
17/51
0 means check corresponding address bit value
1 means ignore value of corresponding address bit
do not check address
(ignore bits in octet)
=0 0 1 1 1 1 1 1
128 64 32 16 8 4 2 1
=0 0 0 0 0 0 0 0
=0 0 0 0 1 1 1 1
=1 1 1 1 1 1 0 0
=1 1 1 1 1 1 1 1
Octet bit position andaddress value for bit
ignore last 6 address bits
check all address bits(match all)
ignore last 4 address bits
check last 2 address bits
Examples
Wildcard Bits
7/29/2019 20 Access Lists
18/51
Example 172.30.16.29 0.0.0.0 checks all theaddress bits
Abbreviate this wildcard mask using the IP address
preceded by the keyword host (host 172.30.16.29)
Test conditions: Check all the address bits (match all)
172.30.16.29
0.0.0.0(checks all bits)
An IP host address, for example:
Wildcard mask:
Wildcard Bits to Match a Specific Host address
7/29/2019 20 Access Lists
19/51
Accept any address: 0.0.0.0 255.255.255.255
Abbreviate the expression using the
keyword any
Test conditions: Ignore all the address bits (match any)
0.0.0.0
255.255.255.255(ignore all)
Any IP address
Wildcard mask:
Wildcard Bits to Match Any IP Address
7/29/2019 20 Access Lists
20/51
Check for IP subnets 172.30.16.0/24 to 172.30.31.0/24
Network .host
172.30.16.0
0 0 0 1 0 0 0 0Wildcard mask: 0 0 0 0 1 1 1 1
|||
0 0 0 1 0 0 0 0 = 16
0 0 0 1 0 0 0 1 = 17
0 0 0 1 0 0 1 0 = 18
:
0 0 0 1 1 1 1 1 = 31
Address and wildcard mask:
172.30.16.0 0.0.15.255
Wildcard Bits to Match IP Subnets
7/29/2019 20 Access Lists
21/51
Configuring Standard IP
Access Lists
7/29/2019 20 Access Lists
22/51
Standard IP Access List Configuration
access-list access-l ist-number{permit|deny} source[mask]
Router(config)#
Sets parameters for this list entry
IP standard access lists use 1 to 99
Default wildcard mask = 0.0.0.0
no access-list access-list-number removes entire access-list
7/29/2019 20 Access Lists
23/51
Activates the list on an interface
Sets inbound or outbound testing
Default = Outbound
no ip access-group access-list-number removes access-list
from the interface
Router(config-if)#
ip access-group access-l ist-number { in | out }
Standard IP Access List configuration
7/29/2019 20 Access Lists
24/51
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
Standard IP Access List Example 1
access-list 1 permit 172.16.0.0 0.0.255.255(implicit deny all - not visible in the list)
7/29/2019 20 Access Lists
25/51
Permit my network only
access-list 1 permit 172.16.0.0 0.0.255.255(implicit deny all - not visible in the list)
interface ethernet 0ip access-group 1 outinterface ethernet 1ip access-group 1 out
Standard IP Access List Example 1
172.16.3.0 172.16.4.0
172.16.4.13E0
S0
E1
Non-172.16.0.0
7/29/2019 20 Access Lists
26/51
Deny a specific host
Standard IP Access List
Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0
E1
Non-172.16.0.0
access-list 1 deny 172.16.4.13 0.0.0.0
7/29/2019 20 Access Lists
27/51
Standard IP Access List
Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0 S0 E1
Non-172.16.0.0
Deny a specific host
access-list 1 deny 172.16.4.13 0.0.0.0access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny all)
7/29/2019 20 Access Lists
28/51
access-list 1 deny 172.16.4.13 0.0.0.0access-list 1 permit 0.0.0.0 255.255.255.255
(implicit deny all)
interface ethernet 0ip access-group 1 out
Standard IP Access List
Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0 S0 E1
Non-172.16.0.0
Deny a specific host
7/29/2019 20 Access Lists
29/51
Deny a specific subnet
Standard IP Access List
Example 3
172.16.3.0 172.16.4.0
172.16.4.13E0 S0 E1
Non-172.16.0.0
access-list 1 deny 172.16.4.0 0.0.0.255access-list 1 permit any
(implicit deny all)
7/29/2019 20 Access Lists
30/51
access-list 1 deny 172.16.4.0 0.0.0.255access-list 1 permit any
(implicit deny all)
interface ethernet 0ip access-group 1 out
Standard IP Access List
Example 3
172.16.3.0 172.16.4.0
172.16.4.13E0S0
E1
Non-172.16.0.0
Deny a specific subnet
7/29/2019 20 Access Lists
31/51
Control vty Access
7/29/2019 20 Access Lists
32/51
Filter Virtual Terminal (vty) Access to a
Router
Five virtual terminal lines (0 through 4)
Filter addresses that can access into the
routers vty ports
Filter vty access out from the router
0 1 2 34
Virtual ports (vty 0 through 4)Physical port e0 (Telnet)Console port (direct connect)
console e0
7/29/2019 20 Access Lists
33/51
How to Control vty Access
0 1 2 34
Virtual ports (vty 0 through 4)Physical port (e0) (Telnet)
Setup IP address filter with standard access list statementUse line configuration mode to filter access with the access-
class command
Set identical restrictions on all vtys
Router#
e0
7/29/2019 20 Access Lists
34/51
Virtual Terminal Line Commands
Enters configuration mode for a vty or vty range
Restricts incoming or outgoing vty connections for address
in the access list
access-class access-list-number{in|out}
line vty{vty#| vty-range}
Router(config)#
Router(config-line)#
7/29/2019 20 Access Lists
35/51
Virtual Terminal Access Example
Permits only hosts in network 192.89.55.0 to connect to the
routers vtys
access-list 12 permit 192.89.55.0 0.0.0.255
!line vty 0 4
access-class 12 in
Controlling Inbound Access
7/29/2019 20 Access Lists
36/51
Configuring Extended IP Access
Lists
7/29/2019 20 Access Lists
37/51
Standard versus External Access List
Standard Extended
Filters Based onSource.
Filters Based onSource and destination.
Permit or deny entireTCP/IP protocol suite.
Specifies a specific IPprotocol and port number.
Range is 100 through 199.Range is 1 through 99
7/29/2019 20 Access Lists
38/51
Router(config-if)# ip access-group access- l ist-number{ in |out }
Extended IP Access List Configuration
Activates the extended list on an interface
Sets parameters for this list entry
Router(config)# access-list access- l ist-number
{ permit | deny } protoco l so urce source-wi ldcard [operator
por t ]dest inat ion dest inat ion-wi ldcard[ operator po rt] [
established ] [log]
7/29/2019 20 Access Lists
39/51
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0
Permit all other traffic
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
Extended Access List Example 1
access-list 101 deny tcp 172.16.4.00.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
7/29/2019 20 Access Lists
40/51
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0
Permit all other traffic
Extended Access List Example 1
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.4.00.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)
7/29/2019 20 Access Lists
41/51
access-list 101 deny tcp 172.16.4.00.0.0.255 172.16.3.0 0.0.0.255 eq 21access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20access-list 101 permit ip any any(implicit deny all)
interface ethernet 0ip access-group 101 out
Deny FTP from subnet 172.16.4.0 to subnet 172.16.3.0 out of E0 Permit all other traffic
Extended Access List Example 1
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
7/29/2019 20 Access Lists
42/51
Deny only Telnet from subnet 172.16.4.0 out of E0 Permit all other traffic
Extended Access List Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23
7/29/2019 20 Access Lists
43/51
Deny only Telnet from subnet 172.16.4.0 out of E0 Permit all other traffic
Extended Access List Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)
7/29/2019 20 Access Lists
44/51
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23access-list 101 permit ip any any(implicit deny all)
interface ethernet 0ip access-group 101 out
Deny only Telnet from subnet 172.16.4.0 out of E0 Permit all other traffic
Extended Access List Example 2
172.16.3.0 172.16.4.0
172.16.4.13E0
S0E1
Non-172.16.0.0
7/29/2019 20 Access Lists
45/51
Using Named IP Access Lists
Router(config)#
ip access-list { standard | extended } name
Feature for Cisco IOS Release 11.2 or later
Alphanumeric name string must be unique
7/29/2019 20 Access Lists
46/51
Using Named IP Access Lists
Router(config)#
ip access-list { standard | extended } name
{ permit | deny } { ip access list test conditions }
{ permit | deny } { ip access list test conditions }
no { permit | deny } { ip access list test conditions }
Router(config {std- | ext-}nacl)#
Feature for Cisco IOS Release 11.2 or later
Alphanumeric name string must be unique
Permit or deny statements have no prepended number
"no" removes the specific test from the named access list
7/29/2019 20 Access Lists
47/51
Router(config)# ip access-list { standard | extended } name
Router(config {std- | ext-}nacl)# { permit | deny }{ ip access list test conditions }
{ permit | deny } { ip access list test conditions }
no { permit | deny } { ip access list test conditions }
Router(config-if)# ip access-group name{ in | out }
Using Named IP Access Lists
Feature for Cisco IOS Release 11.2 or later
Alphanumeric name string must be unique
Permit or deny statements have no prepended number
"no" removes the specific test from the named access list
Activates the IP named access list on an interface
7/29/2019 20 Access Lists
48/51
Access List Configuration Principles
Order of access list statements is crucialRecommended: use a text editor on a TFTP server or use PC
to cut and paste
Top-down processingPlace more specific test statements first
No reordering or removal of statementsUse no access-list numbercommand to remove entire access
list
Exception: Named access lists permit removal of individualstatements
Implicit deny allUnless access list ends with explicit permit any
7/29/2019 20 Access Lists
49/51
Place extended access lists close to the source
Place standard access lists close to the destination
E0
E0
E1
S0
To0
S1S0
S1
E0
E0TokenRing
B
A
C
Where to Place IP Access Lists
Recommended:
D
7/29/2019 20 Access Lists
50/51
wg_ro_a#show ip int e0Ethernet0 is up, line protocol is up
Internet address is 10.1.1.11/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabledOutgoing access list is not set
Inbound access list is 1
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sentICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
Verifying Access Lists
7/29/2019 20 Access Lists
51/51
Monitoring Access List Statements
wg_ro_a#show access-lists
Standard IP access list 1
permit 10.2.2.1
permit 10.3.3.1
permit 10.4.4.1
permit 10.5.5.1
Extended IP access list 101
permit tcp host 10.22.22.1 any eq telnet
permit tcp host 10.33.33.1 any eq ftp
permit tcp host 10.44.44.1 any eq ftp-data
wg_ro_a#show {protocol} access-list {access- l ist number}
wg_ro_a#show access-lists {access- lis t number}